Permissions in vSphere
Splunk App for VMware must use valid vCenter Server service credentials to gain read-only access to vCenter Server systems using API calls. The account's vSphere role determines access privileges.
The following sections list the permissions for the vCenter server roles for all of the VMware versions that Splunk App for VMware supports.
Permissions to use your own syslog server
Best practice dictates that use your own syslog server, and that you install a Splunk Enterprise forwarder on the server to forward syslog data. Use these permissions to collect data from the ESXi hosts using your own syslog server. These system-defined privileges are always present for user-defined roles.
Permissions to use an intermediate forwarder
Use these permissions if you configure your ESXi hosts to forward syslog data to one or more intermediate Splunk Enterprise forwarders. Use the vSphere client to enable the syslog firewall for the specific hosts. Note that in vSphere 5.x you do not need to add permissions beyond the default ones vSphere provides when creating a role.
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.3.0